b'   United States Department of State\nAnd the Broadcasting Board of Governors\n\n         Office of Inspector General\n\n\n\n\n             Executive Summary\n\nGovernment Information Security Reform Act\n     Broadcasting Board of Governors\n          FY 2002 Submission\n\n             September 16, 2002\n\x0c                                        UNCLASSIFIED\n\nEXECUTIVE SUMMARY\nPURPOSE\n\n       In response to the Government Information Security Reform Act (GISRA), Public Law\n106-398, the Office of Inspector General (OIG) performed an independent evaluation of the\ninformation security program and practices of the Broadcasting Board of Governors (BBG).\nThis executive summary provides the results of OIG\xe2\x80\x99s evaluation in two parts. Part I\nsummarizes the results of OIG\xe2\x80\x99s review of BBG\xe2\x80\x99s information security program. Part II contains\nOIG\xe2\x80\x99s assessment of BBG\xe2\x80\x99s information security program using performance measures provided\nby the Office of Management and Budget (OMB).\n\n\nPART I\nResults of OIG\xe2\x80\x99s Information Security Program Evaluation (Report IT-A-02-07)\n\n        OIG\xe2\x80\x99s evaluation of the effectiveness of the BBG\xe2\x80\x99s information security program\nconcluded that BBG has made progress, but more must be done to comply with GISRA. BBG\nhas developed an agency-wide information security program, and it has performed program-level\nself-assessments and documented the results of its self-assessments in its quarterly reporting of\nthe agency\xe2\x80\x99s plans of action and milestones to the Office of Management and Budget (OMB).\nIncluded in this reporting was the identification of 37 information security weaknesses, of which\n20 have been corrected. Also, BBG is in the process of hiring a contractor to develop and revise\nrequired information security-related policies and procedures to satisfy its needs.\n\n        OIG also found several key areas of security that still require management attention.\nSpecifically, it found that BBG needs to develop an incident response process and reporting\nprocedures to share information effectively on common vulnerabilities and threats. Also, OIG\nconcluded that BBG lacks security and contingency plans at the systems and major application\nlevel and needs to develop these plans to meet its information security requirements and comply\nwith GISRA. Lastly, OIG found that BBG lacks an information security training program and\nmust develop and implement a program that addresses the needs of the agency and its\nemployees.\n\n\n\n\n                                                                                                  1\n                                      UNCLASSIFIED\n\x0c                                                    UNCLASSIFIED\n\n  Part II\n  OIG Assessment of the Broadcasting Board of Governor\xe2\x80\x99s Information Security Program\n  Based on OMB Performance Measures\n\nA. General Overview\n  1. N/A\n\n  2. Identify and describe as necessary the total number of programs and systems in the agency, the total\n  number of systems and programs reviewed by the program officials, CIOs, or OIGs in both last year\xe2\x80\x99s\n  report (FY 01) and this year\xe2\x80\x99s report (FY 02) according to the format provided below. Agencies should\n  specify whether they used the NIST self-assessment guide or an agency developed methodology. If the\n  latter was used, confirm that all elements of the NIST guide were addressed.\n\n\n                                     TABLE A.1: PROGRAM AND SYSTEM REVIEWS\n\n                                                                                          FY 2001              FY 2002\n  2a    Total number of agency programs.                                                     6                    6\n  2b    Total number of agency systems.                                                     49                   31\n  2c    Total number of programs reviewed by OIG.                                            4                    6\n  2d    Total number of systems reviewed by OIG.                                             2                    0\n       Note 1: In 2a, agency programs include: International Broadcasting Bureau, Office of Computing Services, Office of Cuba\n       Broadcasting, Office of Internet Development, Office of Engineering and Technical Services, and Voice of America\n       Broadcast Operations.\n       Note 2: In 2b, agency totals show all systems as represented in BBG\xe2\x80\x99s functional area security plans for FY 2002.\n\n  BBG has taken steps to consolidate its information systems under five functional areas. These\n  steps include:\n\n    \xe2\x80\xa2 Designating existing program offices as functional areas and designating all systems within\n      each functional area as one system;\n    \xe2\x80\xa2 Performing internal risk assessments at the functional area level and incorporating the risk\n      assessments as a major part of the functional area security plans;\n    \xe2\x80\xa2 Completing self-assessments of the International Broadcasting Bureau (IBB) and five\n      functional areas, without using National Institute of Standards and Technology (NIST)\n      standard methodology; and\n    \xe2\x80\xa2 Incorporating self-assessment results into the plans of action and milestones (POA&M) for\n      the BBG submission to OMB.\n\n  In FY 2001, OIG performed two systems reviews and four program reviews. In FY 2002, using\n  NIST guidance tailored for OIG\xe2\x80\x99s evaluation, OIG reviewed the IBB agency-wide information\n  security program and the five functional area programs. At the time of this review, BBG had not\n  completed its FY 2002 self-assessment reviews. However, BBG\xe2\x80\x99s chief information officer\n  (CIO) told OIG that these assessments would be completed using NIST guidance by the end of\n  FY 2002.\n\n\n\n                                                                                                                            2\n                                                  UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n   3. Identify all material weaknesses in policies, procedures, or practices as identified and required to be\n   reported under existing law. (Section 3534(1)-(2) of the Security Act.) Identify the number of reported\n   material weaknesses for FY 01 and FY 02, and the number of repeat weaknesses in FY 02.\n\n\n                                     TABLE A.2: MATERIAL WEAKNESSES\n\n                                                                                  FY 2001        FY 2002\n    3a    Number of material weaknesses reported.                                    0              0\n    3b    Number of material weaknesses repeated in FY02.                            0              0\n\n   BBG reported no material weaknesses in either FY 2001 or FY 2002.\n\nB. Responsibilities of Agency Head\n   1. Identify and describe any specific steps taken by the agency head to clearly and unambiguously set\n   forth the Security Act\xe2\x80\x99s responsibilities and authorities for the agency CIO and program officials.\n   Specifically, how are such steps implemented and enforced? Can a major operating component of the\n   agency make an IT investment decision without review by and concurrence of the agency CIO?\n\n   For FYs 2001 and 2002, BBG took a number of actions to develop and implement its security\n   program. Specifically, in FY 2001, the Director, International Broadcasting Bureau, appointed\n   the associate director for management as the CIO. In addition, BBG developed an agency-wide\n   information security program plan and five functional area level security plans. Finally,\n   responsible program officials and the CIO performed functional-level internal risk assessments.\n   In FY 2002, responsible program officials and the CIO performed functional-level self-\n   assessments. Also, BBG obtained a contractor to develop information security policies and\n   procedures.\n\n   Under the BBG\xe2\x80\x99s information security program, the CIO is also responsible for IT planning and\n   budgeting activities, with assistance from the Broadcast Technology Steering Committee. The\n   Broadcast Technology Steering Committee reviews and recommends funding for all IT projects.\n   OIG did not perform work to determine the role of the CIO in the IT acquisition process.\n\n   2. How does the head of the agency ensure that the agency\xe2\x80\x99s information security plan is practiced\n   throughout the life cycle of each agency system? (Sections 3533(a) (1) (A)-(B), (b )(3) (C)-(D), (b) (6)\n   and 3534 (a) (C) of the Security Act.) During the reporting period, did the agency head take any\n   specific and direct actions to oversee the performance of 1) agency program officials and 2) the CIO to\n   verify that such officials are ensuring that security plans are up-to-date and practiced throughout the\n   life cycle of each system?\n\n   The agency head, through the Director of the International Broadcasting Bureau, delegated all\n   information security authority and responsibility to BBG\xe2\x80\x99s CIO. OIG found no other actions\n   taken by the head of the agency to oversee the performance of agency program officials and the\n   CIO to verify that functional area managers are ensuring that security plans are up-to-date and\n   practiced throughout the life cycle of each system.\n\n   Under the CIO\xe2\x80\x99s direction, during FY 2001, BBG completed security plans for each of its five\n   functional areas and for FY 2002, identified each of its five functional areas as a general support\n                                                                                                           3\n                                            UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\nsystem or major application. It designated all systems within each functional area as one system.\nOIG found that BBG\xe2\x80\x99s approach to developing system security plans was flawed because it\nfocused solely on functional areas and not individual systems.\n\n3. How has the agency integrated its information and information technology security program with\nits critical infrastructure protection responsibilities, and other security programs (e.g., continuity of\noperations, and physical and operational security)? (Sections 3534 (a) (1) (B) and (b) (1) of the\nSecurity Act.) Does the agency have separate staffs devoted to other security programs, are such\nprograms under the authority of different agency officials, if so what specific efforts have been taken\nby the agency head or other officials to eliminate unnecessary duplication of overhead costs and\nensure that policies and procedures are consistent and complementary across the various programs\nand disciplines?\n\nBBG is a relatively small federal agency with only minor information technology (IT)\nconnectivity outside its operational environment. According to BBG\xe2\x80\x99s CIO, it integrates its\ninformation technology security program with its internal critical infrastructure protection\nresponsibilities through its security program and the International Broadcasting Technical\nDiscussion Group.\n\nThe Director, Office of Security, is assigned responsibility for physical security, while\ninformation security is assigned to the CIO and delegated to the Director, Office of Computing\nServices. In BBG\xe2\x80\x99s organizational structure, the Director, Office of Security, and Director,\nOffice of Computing Services, report to the CIO. No specific efforts have been taken by the\nagency head or other officials to eliminate unnecessary duplication of overhead costs and ensure\nthat policies and procedures are consistent.\n\n4. Has the agency undergone a Project Matrix review? If so, describe the steps the agency has taken\nas a result of the review. If no, describe how the agency identifies its critical operations and assets,\ntheir interdependencies and interrelationships, and how they secure those operations and assets.\n(Sections 3535(a)(1)(A)-(B), (b)(3)(C)-(D), (b)(6) and 3534(a) (C) of the Security Act.)\n\nBBG has not undergone a Project Matrix review. According to BBG\xe2\x80\x99s CIO, it is not necessary\nbecause the agency does not have any national security systems or connections between itself\nand other agencies, except for limited financial and payroll system connections with the\nDepartment of State. According to BBG, the Department is responsible for the security of those\nsystem connections.\n\n5. How does the agency head ensure that the agency, including all components, has documented\nprocedures for reporting security incidents and sharing information regarding common\nvulnerabilities? Identify and describe the procedures for external reporting to law enforcement\nauthorities and to the General Services Administration\xe2\x80\x99s Federal Information Incident Response\nCenter (FedCIRC). Identify actual performance according to the measures and the number of\nincidents reported in the format provided below. (Section 3534(b)(2)(F)(i)-(iii) of the Security Act.)\n\nThe agency head has not ensured that the agency has documented procedures for reporting\nincidents and sharing information regarding common vulnerabilities. As OIG reported in its FY\n2002 GISRA evaluation report, BBG lacks an information security incident response process and\nhas no external security incident reporting procedures. GISRA requires that agencies have\nprocedures in place for detecting, reporting, and responding to security incidents. Toward that\nend, BBG\xe2\x80\x99s agency-wide information security program plan calls for each of its five functional\n                                                                                                            4\n                                          UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\narea program officials to develop incident response and reporting procedures. However, four of\nthe five program officials reported that the procedures had not been developed. The BBG\ninformation security program plan states that incidents should be reported to the CIO and the\nOffice of Computing Services so that they can determine whether law enforcement agencies and\nthe General Services Administration\xe2\x80\x99s (GSA) Federal Computer Incident Response Center needs\nto be notified. However, only one of the five BBG functional areas overseeing information\ntechnology (IT) security has documented procedures in place to react to information security\nincidents.\n\nBBG officials informed OIG of only four information security incidents that occurred during\nFYs 2001 and 2002, none of which were reported outside the agency. Two of the incidents were\nnot reported outside the functional area where they occurred. In two of the four instances,\nseveral thousand dollars were spent bringing in outside consultants to evaluate the damage\ncaused by the incidents and to perform a risk assessment of the functional area information\nsystems.\n\n\n                                   Table B.1: Incident Response Capability\n\n                                                                                                             FY 2002\n      Total number of agency components including bureaus, field activities (functional areas\n 5a                                                                                                             29\n      and worldwide transmitting sites).\n 5b   Number of agency components with incident handling and response capability.                                0\n 5c   Number of agency components that report to FedCIRC.                                                        1\n      Does the agency and its major components share incident information with FedCIRC in a\n 5d                                                                                                             No\n      timely manner consistent with FedCIRC and OMB guidance?\n      What is the required average time to report to the agency and FedCIRC following an\n 5e                                                                                                            N/A\n      incident?\n      How does the agency, including the programs within major components, confirm that                      see note\n 5f\n      patches have been tested and installed in a timely manner?                                              below\n                                                                                               FY 2001       FY 2002\n      By agency and individual component, number of incidents (e.g., successful\n      and unsuccessful network penetrations, root or user account compromises,\n 5g                                                                                                2             2\n      denial of service attacks, website defacing attacks, malicious code and virus,\n      probes and scans, password access) reported by each component.\n      By agency and individual component, number of incidents reported\n 5h                                                                                                0             0\n      externally to FedCIRC or law enforcement.\n       Note: In 5f, according to the BBG CIO, manufacturer\xe2\x80\x99s documentation regarding patches is reviewed and then applied\n       manually to all servers that require it. The patches are then pushed out to the workstations.\n\n\n\n\n                                                                                                                        5\n                                              UNCLASSIFIED\n\x0c                                                UNCLASSIFIED\n\nC. Responsibilities of Agency Program Officials\n  1. Have agency program officials: 1) assessed the risk to operations and assets under their control; 2)\n  determined the level of security appropriate to protect such operations and assets; 3) maintained an up-\n  to-date security plan (that is practiced throughout the life cycle) for each system supporting the\n  operations and assets under their control; and 4) tested and evaluated security controls and\n  techniques? (Section 3534(a)(2) of the Security Act.)\n\n\n                                            TABLE C.1: TOTAL SYSTEMS\n\n\n          Component or Bureau Name                                                    Total Number of Systems\n   C1.1   Office of Computing Services                                                           5\n   C1.2   Office of Cuba Broadcasting                                                            4\n   C1.3   Office of Internet Development                                                         1\n   C1.4   Office of Engineering and Technical Services                                          20\n   C1.5   Voice of America Broadcasting Operations                                               1\n          Total Number of Agency Systems                                                        31\n  Note: System totals come from functional area security plans and may not represent all BBG systems. BBG also\n  reported on 23 systems in FY 2001 that were not reported under any of the functional area security plans in FY\n  2002. BBG did not provide OIG with information on these 23 systems.\n\n  1) BBG\xe2\x80\x99s five functional areas performed internal risk assessments as part of their development\n     of functional area security plans. All of the five functional areas performed their initial risk\n     assessments internally, based on work experience.\n\n  2) BBG\xe2\x80\x99s risk assessments assign a level of security protection required for its IT assets and\n     operations based on its internal risk assessment. However, BBG has not documented these\n     assessments.\n\n  3) BBG has not developed security plans at the systems or major application level. Further,\n     BBG\xe2\x80\x99s approach to developing system security plans is flawed because it focuses solely on\n     functional areas and not individualized systems. System security plans, which are required\n     by GISRA, provide an overview of system security requirements, describe established system\n     controls, and provide a means for improving the protection of IT resources. During the latter\n     part of FY 2001, BBG completed security plans for each of its five functional areas.\n     However, it did not develop separate plans for each of the systems within these functional\n     areas. For example, OIG found that one functional area grouped 20 of BBG\xe2\x80\x99s 31 reported\n     systems for FY 2002 under one security plan.\n\n  4) BBG did not provide OIG with any documentation supporting testing and evaluation of\n     security controls. From its discussions with BBG officials, OIG is not clear that methodical\n     testing and evaluation is taking place. OIG intends to review testing and evaluation in more\n     depth during its FY 2003 independent evaluation.\n\n\n\n\n                                                                                                                   6\n                                              UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\nBy each major agency component and aggregated into an agency total, from last year\xe2\x80\x99s report (FY 01)\nand this reporting period (FY 02) identify actual performance according to the measures and in the\nformat provided below for the number and percentage of total systems.\n\nBBG did not provide sufficient information for OIG to complete this section.\n\n2. For operations and assets under their control, have agency program officials used appropriate\nmethods (e.g., audits or inspections) to ensure that contractor-provided services (e.g., network or\nwebsite operations) or services provided by another agency for their program and systems are\nadequately secure and meet the requirements of the Security Act, OMB policy and NIST guidance,\nnational security policy, and agency policy? Identify actual performance according to the measures\nand in the format provided below. (Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the\nSecurity Act.)\n\n\n                            TABLE C.2: OFFICE OF INTERNET DEVELOPMENT\n\n                                                                             FY 2001       FY 2002\n  2a    Number of contractor operations or facilities.                          1             1\n  2b    Number of contractor operations or facilities reviewed.                 0             0\n\nBBG\xe2\x80\x99s functional area/program officials have not used appropriate methods to ensure that\ncontractor-provided services are adequately secure and meet statutory and regulatory guidance.\nBBG contracts with Genuity for its Voice of America Internet operations. However, as shown in\nthe table above, it has not performed any security reviews on the operation for the services\nprovided to the Voice of America. Also, on the island of Tinian in the South Pacifc, BBG\nmaintains a transmitting station that is government owned and contractor operated. As shown in\nthe table below, the site has not been reviewed to determine if it meets the requirements of\nGISRA, OMB policy and NIST guidance.\n\n\n                   TABLE C.3: OFFICE OF ENGINEERING AND TECHNICAL SERVICES\n\n                                                                             FY 2001      FY 2002\n  2a    Number of contractor operations or facilities.                          1            1\n  2b    Number of contractor operations or facilities reviewed.                 0            0\n\n\n\n\n                                                                                                      7\n                                          UNCLASSIFIED\n\x0c                                                  UNCLASSIFIED\n\nD. Responsibilities of Agency Chief Information Officers\n  1. Has the agency CIO: 1) adequately maintained an agency-wide security program; 2) ensured the\n  effective implementation of the program and evaluated the performance of major agency components;\n  and 3) ensured the training of agency employees with significant security responsibilities? Identify\n  actual performance according to the measures and in the format provided below. (Section 3534(a)(3)-\n  (5) and (Section 3534(a)(3)(D), (a)(4), (b)(2)(C)(i)-(ii) of the Security Act.)\n\n\n                                TABLE D.1: AGENCY-WIDE SECURITY PROGRAM\n\n                                                                                          FY 2001          FY 2002\n        Other than GAO or IG audits and reviews, how many agency\n   1a                                                                                         6                6\n        components and field activities received security reviews?\n        What percentage of components and field activities have had such\n   1b   reviews? (One bureau, five functional areas, 23 transmitting                         21%              21%\n        stations)\n   1c   Number of agency employees including contractors.                                   3,237            3,191\n        Number and percentage of agency employees including contractors                      13               14\n   1d\n        that received security training.                                                       0.4%             0.4%\n   1e   Number of employees with significant security responsibilities                        21               22\n        Number of employees with significant security responsibilities that\n   1f                                                                                         13               14\n        received specialized training.\n   1g   Briefly describe what types of security training were available.                 see D. 1. 3       see D. 1. 3\n        Do agency POA&Ms account for all known agency security\n   1i   weaknesses, including all components and field activities? If no,                    Yes              Yes\n        why not?\n        Has the CIO appointed a senior agency information security\n   1j                                                                                        No               No\n        official?\n         Note 1: In 1a, the number includes self-assessments.\n         Note 2: In 1c, employees and contractors are approximate numbers as of Oct. 2000 and Oct. 2001.\n\n  1) Adequately maintained an agency-wide security program.\n  BBG\xe2\x80\x99s CIO has not maintained adequately an agency-wide security program. As shown in\n  OIG\xe2\x80\x99s FY 2002 GISRA independent evaluation report, the BBG has developed an agency-wide\n  information security program plan that assigns responsibility for information security and\n  identifies the agency information management policy and security program manager as the CIO.\n  The program also assigns five program officials with the responsibility for implementing a risk\n  management-based security program. Although BBG\xe2\x80\x99s program plan appropriately covers the\n  program level for addressing information security issues, BBG has decided not to develop\n  information security plans at the systems level. System security plans, which are required by\n  GISRA, provide an overview of system security requirements, describe established system\n  controls, and provide a means for improving the protection of information technology resources.\n  BBG has completed security plans for each of its five functional areas; however there are no\n  separate plans for each of the systems within these functional areas. For example, OIG found\n  that one functional area grouped 20 of BBG\xe2\x80\x99s 31 reported systems for FY 2002 under one\n  security plan.\n\n\n\n\n                                                                                                                         8\n                                                UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n2) Ensured the effective implementation of the program and evaluated the performance of\nmajor agency components.\nThe CIO has not ensured effective implementation of BBG\xe2\x80\x99s security program. OIG reported in\nits FY 2002 independent evaluation that BBG\xe2\x80\x99s information security policies and procedures\nwere outdated and incomplete.1 Agencies are required by GISRA to develop and implement\nsecurity policies, procedures, and controls, which provide each system with security protections\nequal to the risk of system operations. In a recent risk assessment, an independent contractor\nreported that IBB lacked defined security policies to address configuration management and\ninstallation of non-mission related software. Also, GISRA requires that agencies have\nprocedures in place for detecting, reporting, and responding to security incidents, and BBG\xe2\x80\x99s\nagency-wide information security program plan reiterates this requirement. However, BBG\nlacks an information security incident response process and has no external security incident\nreporting procedures. Lastly, OIG reported in its FY 2002 GISRA evaluation that BBG lacks\nsystem or major application contingency plans to support all of its information technology\noperations. BBG\xe2\x80\x99s information security program recognizes that contingency plans ensure an\nagency\xe2\x80\x99s ability to recover from a disruption and provide service sufficient to meet the minimal\nneeds of users and calls for the plans to be developed. However, OIG found that no systems\ncontingency plans had been developed and that only one of the five functional areas had a\ncontingency plan.\n\n3) Ensured the training of agency employees with significant security responsibilities.\nThe CIO has not ensured that employees with significant security responsibilities are trained\nadequately. Few employees at BBG receive any information security training, and those who do\nare technical employees. Although the BBG Information Security Program Plan acknowledges\nthe need for information security training and assigns the Office of Computing Services with\nresponsibility for developing and implementing an information security education program, BBG\nofficials reported that no specific information security training was taking place. Further, BBG\nlacked a formal mechanism for tracking individual training, and officials were not able to\nprovide OIG with any statistical data on information security training that showed the classes\ntaken, which employees took the classes, or the associated cost.\n\n2. For operations and assets under their control (e.g., network operations), has the agency CIO used\nappropriate methods (e.g., audits or inspections) to ensure that contractor-provided services (e.g.,\nnetwork or website operations) or services provided by another agency are adequately secure and meet\nthe requirements of the Security Act, OMB policy and NIST guidance, national security policy, and\nagency policy? Identify actual performance according to the measures and in the format provided\nbelow. (Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the Security Act.)\n\n\n                          TABLE D.2: CONTRACTOR OPERATIONS AND FACILITIES\n\n                                                                                        FY 2001         FY 2002\n    2a   Number of contractor operations or facilities.                                    2               2\n    2b   Number of contractor operations or facilities reviewed.                           0               0\n         Note: 2a includes Tinian transmission station and Office of Internet Development contracting operations.\n\n1\n Information Security Program Evaluation: Broadcasting Board of Govenors (Report Number IT-A-02-07, September\n2002)\n\n                                                                                                                    9\n                                             UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\nThe CIO has not used appropriate methods to ensure that contractor-provided services are\nadequately secure and meet statutory and regulatory guidance. BBG maintains a transmitting\nstation on the island of Tinian, which is contractor operated. The site was not reviewed to\ndetermine whether it meets the requirements of GISRA, OMB policy and NIST guidance.\nHowever, BBG did review information systems related to this transmitting station as part of its\nrisk assessment. BBG also contracts with Genuity for its Voice of America Internet operations,\nbut there were no security reviews performed on this operation.\n\n3. Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and investment\ncontrol process? Were security requirements and costs reported on every FY 03 capital asset plan (as\nwell as in the exhibit 53) submitted by the agency to OMB? If no, why not? Identify actual\nperformance according to the measures and in the format provided below. (Sections 3533(a)(1)(A)-\n(B), (b)(3)(C)-(D), (b)(6) and 3534(a)(C) of the Security Act.)\n\n\n               TABLE D.3: CAPITAL PLANNING AND INVESTMENT CONTROL PROCESS\n\n                                                                              FY 2003     FY 2004\n                                                                               Budget      Budget\n                                                                              Materials   Materials\n  3a    Number of capital asset plans and justifications submitted to OMB        0           0\n        Number of capital asset plans and justifications submitted to OMB\n  3b                                                                             0           0\n        without requisite security information and costs?\n        Were security costs reported for all agency systems on the agency\xe2\x80\x99s\n  3c                                                                            N/A         N/A\n        exhibit 53?\n  3d    Have all discrepancies been corrected?                                  N/A         N/A\n        How many have the CIO/other appropriate official\n  3e                                                                            N/A         N/A\n        independently validated prior to submittal to OMB?\n\nAccording to the BBG CIO, BBG is not required to prepare an exhibit 53, and its capital asset\nplan is under development.\n\n\n\n\n                                                                                                      10\n                                          UNCLASSIFIED\n\x0c'